Recently one of my clients had one of their servers attacked. The intrusion detection caught it, and I believe a lot of the malicious stuff they were trying were correctly filtered out by asp.net as dangerous requests, but in order to understand more about what was/is going on, I worked with 2 tools to help look at the situation a little deeper.
First, I wanted to look at the live requests coming to the server and see the payloads they contained. To do this, I installed WireShark on the server, and started to capture traffic.
Wireshark as 2 types of filters: capture filters and display filters. From the capture side of things, you can really cut down on the noise if you filter out the stuff you don’t care about. So I used a capture filter of tcp port 80 or tcp port 443
Then, while the capture is running you can type in a display filter so that you can tell if you are getting the specific type of request you are interested in during the current trace. In this case, I was only interested in http POSTs, so I could use this filter http.request.method == “POST”
This way you can let the trace run until you see records start to come through that match both filters.
The other thing I wanted to do was to look at log files to see how the traffic to the site changed over time. To do this I installed MS Log Parser and the Log Parser Lizard. With these two tools it allows for a nice UI and SQL queries against the data. As you can see below, the requests/attacks started at 5:52.
